IDIM Privacy Enhancing Features Summary Identity Information Management Project (IDIM) Integration Infrastructure Program (IIP) Office of the CIO
|
|
- Thomas Lawson
- 8 years ago
- Views:
Transcription
1 IDIM Privacy Enhancing Features Summary Identity Information Management Project (IDIM) Integration Infrastructure Program (IIP) Contact: Peter Watkins Phone: Version: 1.0 Date: March 5, 2009
2 Document Revision History Date Description of Change Issued by Version No. 18 November 2008 Initial draft A Hughes February 2009 Updated draft A Hughes March 2009 Updated draft A Hughes March 2009 Final version A Hughes 1.0 Page i of xiv
3 Table of Contents 1 Government Services and Your Identity Information Government plays a key role Your identity information is valuable and worth protecting You want, need and expect efficient services but not at the expense of personal privacy British Columbia is exploring a better way BC Identity Information Management Policy, fair information practices and The 7 Laws of Identity Carefully designed architecture Tight control over identity management services Secure sharing of identity information where authorized Operational management Hosting of identity services Decoupling of authentication services Standardized identity information practices Identity Repair Services Careful choice of technology Cryptographic functions Smart cards Privacy enhancing features summary... 9 Appendix A Glossary 10 Page i of xiv
4 1 Government Services and Your Identity Information As British Columbians become more reliant on information management and information technology (IM/IT), government has recognized that client-centered service delivery will only be achieved when technology is leveraged and information is shared across government. The Office of the Chief Information Officer is implementing an Information Management/Information Technology (IM/IT) plan for government to improve information sharing to better achieve citizen outcomes. The IM/IT plan is about securely connecting systems and people, identifying evidence-based outcomes and making sound investment decisions, all supported by a next generation information structure. British Columbia is leading the way. As service delivery transforms to a citizen-centric model, we are addressing the parallel transformation of identity information management in the public sector. This paper outlines privacy enhancing features of the BC Provincial Identity Information management solution Government plays a key role Documented identity information about individuals begins and ends with government. Government records Vital Events such as births and deaths and also Licensing events such as program eligibility. These documents form the foundation that underpins the identity environment. There is inherent trust placed in official documents created by governments, stemming from their stability and authoritative role in society. The paper-based world of identity information is built up on a trusted chain of documentation and personal interactions. A house of cards is built that allows people to present a composite picture of their identity to conduct business and receive or provide services. There are weaknesses in the paper identity system that can lead to unintentional mistakes or can be exploited by identity thieves. The shift to online service delivery is also pushing government to enhance and extend the identity ecosystem so that online identity information is as trusted and relied upon as paper-based identity information. 1.2 Your identity information is valuable and worth protecting The value of identity information is increasing. There is a shift underway to put the person at the focal point of service delivery the citizen centric model. Government and businesses are improving, coordinating and extending services for consolidated service delivery. Central to these improvements is a reliance on accurate, high quality identification of service recipients in order to simplify the service experience for people. The increasing use of identity information as the coordination mechanism for consolidated service delivery means that identity 1 Additional material is available on the web site of the Office of the Chief Information Officer Page 1 of 14
5 information is increasing in value both to people, who receive services, and to criminals who want to steal services and assets. The historical techniques of face-to-face interactions that have supported service delivery and identity verification in the past are being replaced with self-service and online services, resulting in the need to strengthen identification processes. Without careful design and planning, moving to new identification processes will increase, rather than decrease risk. Criminals can exploit identity information at expense of ordinary people: fraud and identity theft are growing rapidly. New approaches and systems that restore the same degree of identity certainty as in the past are needed to enable the service delivery shift. 1.3 You want, need and expect efficient services but not at the expense of personal privacy Government is expected to provide coordinated, efficient services. We hear that you want: reduction in red tape and duplication of effort; your care providers to have access to all relevant information at the right time in order to help you; and, government agencies to coordinate and share information appropriately in order to protect you and prevent bad outcomes. For example, for child protection services, several Ministries and programs need to interact closely. Also, courts, corrections services and related programs need to share information in order to protect public safety. Equally important is the protection of centralized identity services from insider abuse and unauthorized surveillance. Identity systems must be built with privacy as a design objective. You should not have to pay for improved services with your personal privacy. Well managed identity information is the key. Government must protect personal information and allow citizens to be active participants in deciding how their identity information should be collected, used and shared, in support of service delivery. Clients need to be identified accurately by government programs to ensure that services are delivered to the right person at the right time. Incorrect identification can have significant consequences, for example if medications are prescribed to the wrong person, harmful drug interactions may occur. Service providers need to be identified to a high degree of certainty to ensure that they can only access client information where authorized. For example, patient records should only be accessible by people directly involved in their care. Programs that have a need to share information about clients need to identify those clients in a consistent and accurate way to reduce the risk of incorrect information being communicated. This allows for coordinated service delivery. 1.4 British Columbia is exploring a better way A variety of solutions have been implemented in different places to address the need for high quality shared identity information. These vary in effectiveness and privacy enhancement as a government, we have studied these options and believe that we are building a better way. At one end of the spectrum, some jurisdictions have built centralized, monolithic citizen databases with a single citizen number for each person. These unique identifiers are then threaded through all service Page 2of 14
6 programs. The ability to share information and coordinate records is greatly simplified, as is the potential to profile citizens. As well, a privacy breach jeopardizes the identity information used to access financial records and other databases. At the other end of the spectrum is the free-for-all where each service creates service numbers to identify their own participants, and is unable to share them with other service providers. The unlinkability of the identity information between information silos is inherently privacy protective, but greatly hinders the ability to share information when required for improved or coordinated service delivery. It also reduces the ability of programs to detect fraud or double-dipping. A balance must be struck where government identity services are established to ensure accurate identification of people when needed, by authorized individuals, and only to the extent required. The government identity service needs to be tightly controlled and monitored to ensure compliance to legislation and policy. Service providers interact with the program to obtain accurate client identity information when needed. The government identity service can also manage identity information to prevent unauthorized threading of identity numbers from program to program. Page 3of 14
7 2 BC Identity Information Management The BC Identity Information Management solution is designed to prevent citizen profiling through a combination of policy, practices, architecture and technologies. 2.1 Policy, fair information practices and The 7 Laws of Identity The BC Identity Information Management Initiative 2 has established a set of policy, design, architecture and governance principles to guide the development of the provincial solution. These principles are based in part on the Canadian Standards Association Model Code for the Protection of Personal Information and Kim Cameron s 7 Laws of Identity 3. The principles include: Justifiable and Necessary: The use of an individual s identity information should be legally justified and necessary. Risk-Based and Proportionate: The selection of identity information management processes should be risk-based and should be proportional to the stated business goals of the program or service. Citizen choice, consent and control: Citizens should have the maximum amount of choice, consent and control over the use of service channels and identity credentials and the transfer of their identity information from one party to another. Limited information for a Limited use: The least amount of identity information possible should be collected, used, retained and disclosed by the least number of parties in any identity information transaction. Limited Ability to Link and Profile Identity Information: The ability to link identity information across unrelated programs and services and create profiles of individuals should be limited and strictly controlled (i.e., only permitted with legal authority). Trusted and Secure Environment: Trust should be established between all parties through notice, agreements, and secure and accurate information management processes. Transparency and Mutual Accountability: Activities and decisions relating to the identity information management processes should be open, transparent and understandable to all parties. All parties should have a clear understanding of their role, responsibilities and associated risks and should be accountable and responsible for their actions, acknowledging identity management as a collective responsibility. Citizen/User-centric: Identity information management processes should be citizen/user focused. Citizens should be integrated and empowered through intuitive processes and clear communications/interfaces and be provided with a seamless and consistent experience across programs and channels creating a less confusing service environment. 2 For information about identity management initiatives in the Province of British Columbia see 3 Available at Page 4of 14
8 2.2 Carefully designed architecture Through a process of research and analysis, the citizen-centric, claims-based identity architecture and associated technologies have been selected for the provincial solution. The claims-based identity architecture is similar to identity federation technology in that mechanisms are established to allow one service provider to use another provider s identity information to perform access control. The fundamental difference is that in the claims-based architecture, users control the identity information pathway. The claims-based architecture has several major components. Claims are simply facts about a person s identity. A Relying Party offers services and relies on claims from an Authoritative Party which is authoritative over some identity information. Identity claims are sent via the user s identity agent software which permits the user to inspect the claims, control and limit what information is transmitted to which service. Separating Relying Parties and Authoritative Parties and making identity claims flow under the control of the user are the main privacy features of the architecture. This also minimizes the possibility of unauthorized usage profiling. Unless explicitly configured to do so, Authoritative Parties, who issue identity claims, are unable to discover where claims are being used. Relying Parties, who consume identity claims, are able to view only the claims that the user presents, and no other information about them. Placing the citizen at the controlling point in the identity information flow is essential to giving them choice and control over their identity information. 2.3 Tight control over identity management services The key technique for protection of the security and privacy of identity information is the separation of identity information from eligibility information and eligibility status. This separation makes it structurally difficult, if not impossible, to build unauthorized profiles between programs. If a citizen registry is required to enable the solution, it will only store the minimum amount of identity information required to serve its function. Program identifiers and numbers will not be stored directly. Strict policies and standards for safeguarding the identity information will be enforced, which will limit the scope of privacy invasive actions that could be abused. By policy, programs will be not permitted to store program identifiers belonging to other programs. This will be confirmed by auditors who will be instructed to look for the unauthorized storage of identifiers. Page 5of 14
9 2.3.1 Secure sharing of identity information where authorized Integration Infrastructure Program (IIP) A central service 4, the Privacy Protective Identity Broker, will be established for secure sharing of identity information between programs where authorized. The service acts as a safe deposit box that programs will use to store encrypted versions of program service numbers. The key attributes of this service are: Programs will store encrypted versions of their program identifiers, such as Personal Health Numbers or Corrections Service Numbers; The service will be a blind store, in that it will be unable to decrypt or otherwise interpret the identity information stored within it; When one program needs information about a client from another program, it will ask the broker to issue a handle that represents the client in question. The handle is usable for a short period of time and cannot be used to profile clients. The handle is passed to the target program, which uses it to retrieve the correct program identifier to lookup the requested information. This information is passed back to the requester along with the handle. Note that at no time are the program identifiers exchanged between the programs, thus preventing profiling or the collection of program identifiers Operational management High levels of reliability, stability, security and availability for the provincial identity solution are required. To achieve this, stringent operations management practices will be implemented. These include service level agreements, standard operations practices, capacity management and audits. The solution will be integrated with the provincial technology environment for seamless delivery Hosting of identity services The user-centric claims-based identity solution uses a distributed pattern of identity sources. Many of the authoritative parties envisioned in the identity ecosystem will be large, well managed entities that are capable of operating according to provincial standards. For smaller organizations that want to participate in the identity federation, there will be a hosting service offered by the province. This will ensure adherence to operational and technical standards Decoupling of authentication services Authentication functions will be decoupled from online services. A risk to personal information arises when insiders are able to impersonate clients without their knowledge. This can occur if a program implements a poorly-designed authentication service. 4 A more complete description of the technology and features of this service will be available from the Provincial Identity Information Management initiative. Page 6of 14
10 In the claims-based architecture, Authoritative Parties use client authentication to enable the release of claims to the user s identity agent. Authoritative Parties will be required to adhere to provincial standards for encryption, authentication methods, and data elements and data protection. In general, the strength of authentication technology required will be in proportion to the quality and value of the identity claims being issued. We anticipate that at the highest level, a smart card or chip-and-pin technology will be implemented. 2.4 Standardized identity information practices Identity information management practice standards will be established for the province to ensure that identity information is consistently collected in a privacy protective manner, with appropriate consent, client control and verification procedures. Such standards will increase the quality and accuracy of identity recording and verification, leading to increased reliability and trust. Practice standards may include: establishing proof of legal name, birth date, or residency to a given level of certainty; processes for verification of foundation documents; anti-fraud techniques; and, standards for recording identity facts. A range of electronic services will be used to support programs with their identification needs. For example, a service will be created that allows programs to confirm client identity in a privacy protective manner. A clerk would ask the client to provide their program ID or other basic information. Using this information, an inquiry to a registry containing photo ID could be made which returns the photo of the person in question, with no other personal information attached. This would allow the clerk to verify that the person they are serving is the same person that enrolled earlier, and is the valid holder of the program identifier. This would allow a program clerk to confirm the identity of the person without learning other facts about them, and to prevent photo surfing. 2.5 Identity Repair Services The shift to a citizen-centric service delivery model and the associated concentration of value into personal identity, increases the benefits and risks related to the individual. If incorrect facts about a person are recorded, or a fraudster takes over an identity, the person can be seriously impacted. The distributed nature of the user-centric identity architecture could make it very difficult for a person to resolve the problem. Identity repair services will be offered in the provincial solution to address this problem. Citizens will have a single point of contact to review and correct their identity information. The contact point would be empowered to assist the person through the complex process of identity repair. 2.6 Careful choice of technology Several technologies are being used to support the provincial identity management solution. In general, the solution will be vendor-neutral, but standards-specific. This approach will allow a variety of technology solutions to co-exist and interoperate, without requiring locking-in to a specific vendor. Page 7of 14
11 2.6.1 Cryptographic functions A range of cryptographic functions will be used to support the identity information management solution. These functions include encrypted data streams to prevent eavesdropping, digital signatures to provide message integrity, one-way cryptographic hashing to prevent data tampering or decryption, and public key infrastructure to enable verification of entities in the technical trust environment Smart cards For the highest-quality identity claims, which may be established through face to face enrolment and background corroboration, smart cards may be issued. The smart card would be used as a strong authentication technique, to ensure that the person in possession of the card is the same person that enrolled for the claims and was issued the card. The card would not be used to store claim data. The smart card would also enable the use of cryptographic keys required to support the range of cryptographic functions. Page 8of 14
12 3 Privacy enhancing features summary In summary, the BC Identity Information Management initiative has incorporated privacy as a design objective, and has many privacy enhancing features built-in: Use of the CSA Model Code for the Protection of Personal Information and Kim Cameron s 7 Laws of Identity as the basis of the initiative s principles; Use of the user-centric, claims-based architecture to put the user in direct control over identity information flows; Strict policy, standards, operational practices and enforcement to ensure tight control over identity management services; A Privacy Protective Identity Broker to enable secure and private sharing of program identifiers between sectors; Identity Repair services to help people when problems arise; and, Careful choice of technologies to enable strong security where needed. The risks associated with identity information concentration cannot be eliminated entirely. However, British Columbia has designed a thoughtful, rational and flexible solution that will allow strong privacy protections and agility to respond to adverse events. We are confident that the open dialog about the identity information solution will support this conclusion, and lead to the BC Government s overarching goal to improve information sharing to better achieve citizen outcomes. Page 9of 14
13 Appendix A. - Glossary This is an abbreviated glossary, introducing some major terms associated with the user-centric claimsbased architecture. Term Citizen Client User-Centric Models Identity information Identity Claim Authoritative Party Relying Party Description An individual acting in a personal capacity. In some instances, government services may also be provided to noncitizens. For example, a visitor from Washington applying for a BC fishing license. A person seeking or receiving a service. IDIM will use the modifiers individual client or organizational client to distinguish when necessary. Puts users, rather than identity and service providers in the center of the transaction. The user or client manages and shares his or her identity information using an identity agent which can be a browser or portable personal authentication device. Certificates from authoritative identity sources can be acquired by the user and presented when proof of identity is required by service providers. User is able to release information only as they see fit. An attribute, designation or other like information that is recorded or documented somewhere and used to distinguish a unique and particular individual or organization. Identity information is normally documented in a license or accreditation form (e.g., John Smith s birth certificate, John Smith s driver s license indicating that he is licensed to drive, John Smith has an MBA). An assertion of the truth of something which pertains to a person s identity. An identity claim could convey a single attribute such as an identifier (e.g. a student number) or it could convey that a person is part of a certain group or has certain entitlements (e.g. I am over 18, I am a company employee). A set of identity claims could provide sufficient identity attributes (e.g. name, date of birth address) to permit the identification of a unique identity of a person. A party whose authority to make claims is recognized by one or more relying parties. Claims made by recognized authoritative parties are used by relying parties to make access control decisions. Examples include: Corporate Registry for Corporations, Law Society for lawyers, College of Physicians and Surgeons for doctors, the Individual for their contact information, etc. A party that accepts a credential and its assertions to conduct a transaction with a client. Page 10of 14
14 Page 11of 14
Glossary of Key Terms
and s Branch Glossary of Key Terms The terms and definitions listed in this glossary are used throughout the s Package to define key terms in the context of. Access Control Access The processes by which
More informationIDENTITY INFORMATION MANAGMENT ARCHITECTURE SUMMARY Architecture and Standards Branch Office of the CIO Province of BC People Collaboration Innovation
IDENTITY INFORMATION MANAGMENT ARCHITECTURE SUMMARY Architecture and Standards Branch Author: Creation Date: Last Updated: Version: I. Bailey May 28, 2008 March 23, 2009 0.7 Reviewed By Name Organization
More informationDRAFT Pan Canadian Identity Management Steering Committee March 1, 2010
DRAFT Pan Canadian Identity Management Steering Committee March 1, 2010 Pan Canadian Identity Management & Authentication Framework Page 1 1 Introduction This document is intended to describe the forming
More informationProvincial IDIM Program BC Services Card Project Identity Assurance Services Solution Architecture Overview
Provincial IDIM Program BC Services Card Project Identity Assurance Services Version: 0.6 2014-03-14 Document Information Document title IAS Document file name IAS Solution Architecture Introduction.docx
More informationInformation Security Basic Concepts
Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,
More informationBest Practices for the Use of RF-Enabled Technology in Identity Management. January 2007. Developed by: Smart Card Alliance Identity Council
Best Practices for the Use of RF-Enabled Technology in Identity Management January 2007 Developed by: Smart Card Alliance Identity Council Best Practices for the Use of RF-Enabled Technology in Identity
More informationTaking care of what s important to you
A v i v a C a n a d a I n c. P r i v a c y P o l i c y Taking care of what s important to you Table of Contents Introduction Privacy in Canada Definition of Personal Information Privacy Policy: the ten
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL ...The auditor general shall conduct post audits of financial transactions and accounts of the state and of
More informationFIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES
FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES The implications for privacy and security in the emergence of HIEs The emergence of health information exchanges (HIE) is widely
More informationAudio: This overview module contains an introduction, five lessons, and a conclusion.
Homeland Security Presidential Directive 12 (HSPD 12) Overview Audio: Welcome to the Homeland Security Presidential Directive 12 (HSPD 12) overview module, the first in a series of informational modules
More informationRSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS
RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS Security solutions for patient and provider access AT A GLANCE Healthcare organizations of all sizes are responding to the demands of patients, physicians,
More informationReport to the Council of Australian Governments. A Review of the National Identity Security Strategy
Report to the Council of Australian Governments A Review of the National Identity Security Strategy 2012 Report to COAG - Review of the National Identity Security Strategy 2012 P a g e i Table of contents
More informationHow To Manage Revenue Management In The Province Of Britain Colony
MINISTRY OF FINANCE REVENUE SERVICES OF BRITISH COLUMBIA REPORT January - December 2008 Table of Contents Overview... 3 Background... 3 Status Update... 4 Contract Objectives... 5 Implementing a Revenue
More informationContents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationCARING HOSPICE SERVICES NOTICE OF PRIVACY PRACTICES
Original effective date: 2003 Effective date of last Revision: July 17, 2013 CARING HOSPICE SERVICES NOTICE OF PRIVACY PRACTICES Caring Hospice Services of Connecticut Caring Hospice Services of New York
More informationOntario Health Insurance Plan
Chapter 4 Section 4.08 Ministry of Health and Long-Term Care Ontario Health Insurance Plan Follow-up on VFM Section 3.08, 2006 Annual Report Chapter 4 Follow-up Section 4.08 Background The Ministry of
More informationService Line Warranties of Canada PRIVACY STATEMENT
Service Line Warranties of Canada PRIVACY STATEMENT We at Service Line Warranties of Canada ( us, our we, or Company ) consider the protection of your personal information to be a priority when you visit
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Royal Roads University_ Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they
More informationDelivery date: 18 October 2014
Genomic and Clinical Data Sharing Policy Questions with Technology and Security Implications: Consensus s from the Data Safe Havens Task Team Delivery date: 18 October 2014 When the Security Working Group
More informationM&T BANK CANADIAN PRIVACY POLICY
M&T BANK CANADIAN PRIVACY POLICY At M&T Bank, we are committed to safeguarding your personal information and maintaining your privacy. This has always been a priority for us and this is why M&T Bank (
More informationGeneral HIPAA Implementation FAQ
General HIPAA Implementation FAQ What is HIPAA? Signed into law in August 1996, the Health Insurance Portability and Accountability Act ( HIPAA ) was created to provide better access to health insurance,
More informationGUIDELINES FOR RESPONSIBLE USE OF IDENTITY MANAGEMENT SYSTEMS
GUIDELINES FOR RESPONSIBLE USE OF IDENTITY MANAGEMENT SYSTEMS When used appropriately, identity management systems provide safety and security where they are needed. When used improperly, identity management
More informationUniversity of California Policy
University of California Policy HIPAA Uses and Disclosures Responsible Officer: Senior Vice President/Chief Compliance and Audit Officer Responsible Office: Ethics, Compliance and Audit Services Effective
More informationElectronic Commerce Assurance
Electronic Commerce Assurance The Special Committee on Assurance Services identified Electronic Commerce Assurance as an assurance service CPAs can provide. To consider whether you want to provide this
More informationStandard Statement Data and System Security
1.0 Purpose State of Arkansas Office of the State Executive Chief Information Officer 124 West Capitol Avenue Suite 200 Little Rock, AR 72201 Phone 501-682-4300 Fax 501-682-2040 http://www.cio.arkansas.gov/techarch
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationHIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION The IRS2GO Smartphone Application Is Secure, but Development Process Improvements Are Needed August 29, 2011 Reference Number: 2011-20-076 This report
More informationCredit Union Code for the Protection of Personal Information
Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve
More informationLaw Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario
PRIVACY COMPLIANCE ISSUES FOR LAW FIRMS IN ONTARIO By Sara A. Levine 1 Presented at Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario Ontario Bar Association, May 6,
More informationOpenHRE Security Architecture. (DRAFT v0.5)
OpenHRE Security Architecture (DRAFT v0.5) Table of Contents Introduction -----------------------------------------------------------------------------------------------------------------------2 Assumptions----------------------------------------------------------------------------------------------------------------------2
More informationACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer
ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you
More informationHIPAA: In Plain English
HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.
More informationTaking care of what s important to you
National Home Warranty Group Inc. Privacy Policy Taking care of what s important to you Table of Contents Introduction Privacy in Canada Definition of Personal Information Privacy Policy: the ten principles
More informationARKANSAS OFFICE OF HEALTH INFORMATION TECHNOLOGY (OHIT) PRIVACY POLICIES
ARKANSAS OFFICE OF HEALTH INFORMATION TECHNOLOGY (OHIT) PRIVACY POLICIES OHIT wishes to express its gratitude to Connecting for Health and the Markel Foundation for their work in developing the Common
More informationSolution Brief for ISO 27002: 2013 Audit Standard ISO 27002. Publication Date: Feb 6, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief for ISO 27002: 2013 Audit Standard Publication Date: Feb 6, 2015 8815 Centre Park Drive, Columbia MD 21045 ISO 27002 About delivers business critical software and services that transform
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationImplementing Transparent Security for Desktop Encryption Users
Implementing Transparent Security for Desktop Encryption Users Solutions to automate email encryption with external parties Get this White Paper Entrust Inc. All All Rights Reserved. 1 1 Contents Introduction...
More informationJune 1, 20111. Category: Agency
June 1, 20111 Commonwealth of Virginia Virginia Vital Events and Screening Tracking System Category: Crosss Boundary Collaboration Nominationn submitted by: Samuel A. Nixon Jr. Chief Information Officer
More informationOffice of Inspector General
INFORMATION TECHNOLOGY: The Bureau of the Public Debt s Certificate Policy Statement Should Be Updated OIG-03-009 October 24, 2002 Office of Inspector General ******* The Department of the Treasury Contents
More informationSecureCom Mobile s mission is to help people keep their private communication private.
About SecureCom Mobile SecureCom Mobile s mission is to help people keep their private communication private. We believe people have a right to share ideas with each other, confident that only the intended
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationTable of Contents. Acknowledgement
OPA Communications and Member Services Committee February 2015 Table of Contents Preamble... 3 General Information... 3 Risks of Using Email... 4 Use of Smartphones and Other Mobile Devices... 5 Guidelines...
More informationDeciphering the Legal Framework that Governs Online Identity Systems
Deciphering the Legal Framework that Governs Online Identity Systems SESSION ID: LAW-W04A Thomas J. Smedinghoff Partner Edwards Wildman Palmer LLP Chicago, Illinois TSmedinghoff@EdwardsWildman.com @smedinghoff
More informationState of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008
State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008 Background In the last ten years Arkansas has enacted several laws to facilitate electronic transactions
More informationCLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
More information2. APPLICABILITY AND SCOPE
Department of Defense DIRECTIVE NUMBER 1000.25 July 19, 2004 Certified Current as of April 23, 2007 USD(P&R) SUBJECT: DoD Personnel Identity Protection (PIP) Program References: (a) DoD Directive 1000.22,
More informationIBM Software. IBM Initiate: Delivering Accurate Patient and Provider Identification for Canadian Electronic Health Records
IBM Software IBM Initiate: Delivering Accurate Patient and Provider Identification for Canadian Electronic Health Records IBM Initiate: Delivering Accurate Patient and Provider Identification for Canadian
More informationHome Trust & Savings Bank www.hometrustbank.com
Home Trust & Savings Bank www.hometrustbank.com Terms & Conditions Please read the following Electronic Banking Agreement before you sign the enrollment form. GENERAL TERMS This agreement (the Agreement
More informationUpdated February 15, 2008 MINISTRY OF HEALTH SOFTWARE SUPPORT ORGANIZATION SERVICE LEVEL AGREEMENT
BETWEEN: HER MAJESTY THE QUEEN IN RIGHT OF THE PROVINCE OF BRITISH COLUMBIA, represented by the Minister of Health ( the Ministry as the Province as applicable) at the following address: Assistant Deputy
More informationPrivacy Impact Assessment for the. E-Verify Self Check. March 4, 2011
for the E-Verify Self Check March 4, 2011 Contact Point Janice M. Jackson Privacy Branch, Verification Division United States Citizenship and Immigration Services 202-443-0109 Reviewing Official Mary Ellen
More informationUsing Strong Authentication for Preventing Identity Theft
Position Paper Using Strong Authentication for Preventing Identity Theft Robert Pinheiro Consulting LLC Better identity authentication has been proposed as a potential solution not only to identity theft,
More informationWhite paper. Implications of digital certificates on trusted e-business.
White paper Implications of digital certificates on trusted e-business. Abstract: To remain ahead of e-business competition, companies must first transform traditional business processes using security
More informationAttribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements
Joint White Paper: Attribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements Submitted Date: April 10, 2013 Submitted
More informationSection 5 Identify Theft Red Flags and Address Discrepancy Procedures Index
Index Section 5.1 Purpose.... 2 Section 5.2 Definitions........2 Section 5.3 Validation Information.....2 Section 5.4 Procedures for Opening New Accounts....3 Section 5.5 Procedures for Existing Accounts...
More informationArkansas Department of Information Systems Arkansas Department of Finance and Administration
Arkansas Department of Information Systems Arkansas Department of Finance and Administration Title: Electronic Signature Standard Document Number: SS 70 011 Effective Date: Act 722 of 2007 requires state
More informationCredit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information
Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable
More informationExternal Telehealth Videoconferencing
External Telehealth Videoconferencing Organization, as referenced below, is defined as the lower mainland collaboration of Health Authority (HA) Telehealth Programs, consisting of the Provincial Health
More informationINTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE. Guiding Principles on Cloud Computing in Law Enforcement
INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE Guiding Principles on Cloud Computing in Law Enforcement Cloud computing technologies offer substantial potential benefits to law enforcement and government
More informationWHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting Email
WHITE PAPER Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting Email EXECUTIVE SUMMARY Data Loss Prevention (DLP) monitoring products have greatly
More informationVoice Documentation in HIPAA Compliance
Voice Documentation in HIPAA Compliance An OAISYS White Paper Americas Headquarters OAISYS 7965 South Priest Drive, Suite 105 Tempe, AZ 85284 USA www.oaisys.com (480) 496-9040 CONTENTS 1 Introduction 2
More informationPublic Consultation regarding Data Sharing and Governance Bill. Contribution of Office of the Data Protection Commissioner
Submission of the Office of the Data Protection Commissioner (DPC) on the data-sharing and Governance Bill: - Policy Proposals (dated the 1 st of August 2014) Public Consultation regarding Data Sharing
More informationStandard: Information Security Incident Management
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationReport of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:
Information and Privacy Commissioner of Ontario Report of the Information & Privacy Commissioner/Ontario Review of the Canadian Institute for Health Information: A Prescribed Entity under the Personal
More informationWhat is FERPA? This act is enforced by the Family Policy Compliance Office, U.S. Department of Educational, Washington, D.C.
What is FERPA? The Family Educational Rights and Privacy Act of 1974 (FERPA), as amended (also referred to as the Buckley Amendment), is a Federal law designed to protect the confidentiality of a student
More informationCommon Student Information System for Schools and School Boards. Project Summary
for Schools and School Boards May 2007 Table of Contents 1. Executive Summary...... 3 2. Project Background, Rationale, Benefits and Scope... 4 3. Procurement Process... 8 4. The Final Agreement. 10 5.
More informationB U S I N E S S G U I D E
VeriSign Microsoft Office/Visual Basic for Applications (VBA) Code Signing Digital Certificates Realizing the Possibilities of Internet Software Distribution CONTENTS + What Is Developer Code Signing?
More informationAUDIT REPORT PERFORMANCE AUDIT OF COMMUNITY HEALTH AUTOMATED MEDICAID PROCESSING SYSTEM (CHAMPS) CLAIMS EDITS
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF COMMUNITY HEALTH AUTOMATED MEDICAID PROCESSING SYSTEM (CHAMPS) CLAIMS EDITS DEPARTMENT OF COMMUNITY HEALTH AND DEPARTMENT OF TECHNOLOGY,
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationmsb@home Montezuma State Bank Internet Banking Agreement www.montestbk.com Online banking is not available to children under 18 years of age.
msb@home Montezuma State Bank Internet Banking Agreement www.montestbk.com Online banking is not available to children under 18 years of age. General Terms This agreement (the Agreement ) made between
More informationSECURING IDENTITIES IN CONSUMER PORTALS
SECURING IDENTITIES IN CONSUMER PORTALS Solution Brief THE CHALLENGE IN SECURING CONSUMER PORTALS TODAY The Bilateral Pull between Security and User Experience As the world becomes increasingly digital,
More informationINFORMATION TECHNOLOGY POLICY
COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF PUBLIC WELFARE INFORMATION TECHNOLOGY POLICY Name Of : DPW Information Security and Privacy Policies Domain: Security Date Issued: 05/09/2011 Date Revised: 11/07/2013
More informationWHITE PAPER AUGUST 2014. Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords
WHITE PAPER AUGUST 2014 Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords 2 WHITE PAPER: PREVENTING SECURITY BREACHES Table of Contents on t Become the Next Headline
More informationCloud Computing Security Considerations
Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction
More informationAstaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"
More informationMANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.
More informationBC SERVICES CARD DIRECTION
BC SERVICES CARD DIRECTION TO: THE PROVINCIAL IDENTITY INFORMATION SERVICES PROVIDER DIRECTION: 1/12 SUBJECT: Direction to the Provincial Identity Information Services Provider respecting the BC Services
More informationPROGRAM TO PREVENT, DETECT & MITIGATE IDENTITY THEFT
Office of Employee Benefits Administrative Manual PROGRAM TO PREVENT, DETECT & MITIGATE IDENTITY THEFT 150 EFFECTIVE DATE: AUGUST 1, 2009 REVISION DATE: PURPOSE: Ensure that the Office of Employee Benefits
More informationftld Registry Services Security Requirements December 2014
ftld Registry Services Security Requirements December 2014 1. define Ensure domains are compliant with and implement a name provide a description of its the name selection policy. selection policy (i.e.,
More informationAustralian Charities and Not-for-profits Commission: Regulatory Approach Statement
Australian Charities and Not-for-profits Commission: Regulatory Approach Statement This statement sets out the regulatory approach of the Australian Charities and Not-for-profits Commission (ACNC). It
More informationHEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationPrevention is Better than Cure: Protect Your Medical Identity
Prevention is Better than Cure: Protect Your Medical Identity Center for Program Integrity Centers for Medicare & Medicaid Services Shantanu Agrawal, MD, MPhil Medical Director Washington State Medical
More informationPRIVACY POLICY. Consent
PRIVACY POLICY car2go N.A. LLC and car2go Canada Ltd. (collectively, car2go ) recognize the importance of protecting your personal information. We take the protection of your personal information seriously
More informationRAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER
RaySafe S1 SECURITY WHITEPAPER Contents 1. INTRODUCTION 2 ARCHITECTURE OVERVIEW 2.1 Structure 3 SECURITY ASPECTS 3.1 Security Aspects for RaySafe S1 Data Collector 3.2 Security Aspects for RaySafe S1 cloud-based
More informationWISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, 175.9 Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009
WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, 175.9 Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009 Current Laws: It is unlawful to intentionally use or attempt
More informationMarch 2015 INTEGRATED CASE MANAGEMENT SYSTEM. www.bcauditor.com
March 2015 INTEGRATED CASE MANAGEMENT SYSTEM www.bcauditor.com CONTENTS Auditor General s Comments 3 623 Fort Street Victoria, British Columbia Canada V8W 1G1 P: 250.419.6100 F: 250.387.1230 www.bcauditor.com
More informationLabour Mobility Act QUESTIONS AND ANSWERS
Labour Mobility Act QUESTIONS AND ANSWERS Background: Agreement on Internal Trade... 1 Background: Labour Mobility Act... 3 Economic Impacts... 5 Role of Professional and Occupational Associations... 5
More informationNotice of Privacy Practices. Human Resources Division Employees Benefits Section
Notice of Privacy Practices Human Resources Division Employees Benefits Section THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
More informationOFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION
OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION CONTRACTOR SECURITY OF THE SOCIAL SECURITY ADMINISTRATION S HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12 CREDENTIALS June 2012 A-14-11-11106
More informationIBM Software Universal Health Identifiers: Issues and Requirements for Successful Patient Information Exchange
IBM Software Universal Health Identifiers: Issues and Requirements for Successful Patient Information Exchange Lorraine Fernandes, RHIA Scott Schumacher, Ph.D. Universal Health Identifiers: Issues and
More informationA unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or
SBA Procedural Notice TO: All SBA Employees CONTROL NO.: 5000-1323 SUBJECT: Acceptance of Electronic Signatures in the 7(a) and 504 Loan Program EFFECTIVE: 10/21/14 The purpose of this Notice is to inform
More informationSECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM
SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM Chandramohan Muniraman, Meledath Damodaran, Amanda Ryan University of Houston-Victoria Abstract As in any information management system security
More informationLeveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs
IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government
More informationGOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.
PERSONAL IDENTITY VERIFICATION (PIV) OVERVIEW INTRODUCTION (1) Welcome to the Homeland Security Presidential Directive 12 (HSPD-12) Personal Identity Verification (PIV) Overview module, designed to familiarize
More informationMeeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)
Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Executive Summary...3 Background...4 Internet Growth in the Pharmaceutical Industries...4 The Need for Security...4
More informationInformation Technology Policy
Information Technology Policy Identity Protection and Access Management (IPAM) Architectural Standard Identity Management Services ITP Number ITP-SEC013 Category Recommended Policy Contact RA-ITCentral@pa.gov
More informationWHITEPAPER. Best Practices in Registration Data Management. Government agencies can reduce fraud and turn registrant data into a powerful asset
Best Practices in Registration Data Management Government agencies can reduce fraud and turn registrant data into a powerful asset WHITEPAPER 2011 Dun & Bradstreet Executive Summary E-government has generated
More information